On Wed, May 18, 2011 at 02:38:54PM +0200, Ionuț Arțăriși wrote: > On 05/18/2011 01:14 PM, Jan Pazdziora wrote: > > ... > >Nack. This is SQL-injection-prone. You have to use bind parameters > >or sanitize the input properly. > Thanks, I have fixed the SQL issue.
It's still somewhat missing in your patch. > + # transform the list of ints to an sql list that we can forcibly > + # insert into the sql statement > + sql_list = ', '.join([str(i) for i in errata_ids]) > + > + sql = """SELECT id, advisory_name FROM RhnErrata > + WHERE id IN (%s)""" > + h = rhnSQL.prepare(sql % sql_list) -- Jan Pazdziora Principal Software Engineer, Satellite Engineering, Red Hat _______________________________________________ Spacewalk-devel mailing list Spacewalk-devel@redhat.com https://www.redhat.com/mailman/listinfo/spacewalk-devel